CVE-2023-33937

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.1.0 through 7.3.0 Liferay DXP versions 7.1 before fix pack 18 Liferay DXP versions 7.2 before fix pack 5

Description A stored cross-site scripting (XSS) issue exists in the Form widget configuration, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form's name field. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Liferay Portal versions 7.1.0 through 7.3.0, update to a version that includes the fix for this issue. For Liferay DXP version 7.1, apply fix pack 18 or later. For Liferay DXP version 7.2, apply fix pack 5 or later. As a temporary workaround, consider restricting access to the Form widget configuration to minimize the risk of exploitation. Avoid using the name field in the Form widget until the issue is resolved.